Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Ok, Blizz. Enough is enough.

Forum Avatar
Skuasept
#0 - Feb. 8, 2010, 4:29 a.m.
Blizzard Post
So far, my GuildMaster has had her account hacked twice. Once within 24 hours of control being returned to her. So I have some serious questions, and i want Blue answers, not the usual forum trolls that think that WoW exists for their LuLz.
1) Why are account allowed to connect from foreign IP addresses? An account has played fro years from one area attempts to connect from China and you let it?
2) Why is it taking 4+DAYS for a GM response in game. I understand that sometimes there's alot of traffic, especially on weekends. If you have that many freaking requests for help, hire more GM's. Period.
2-a) Why is it that your GM's only work "Bankers Hours" on the west coast. This game is played 24/7, and your support should be staffed at all times. With "14 million" people playing, there are serious issues occurring at all times of play, not just when your Business Offices are open.
3) Why is it that Mobile Authenticators are being added to accounts by hackers using the iTunes applications? These applications should be limited to one account, and traced so when an authenticator is used to prevent someone from retaking control of their account then legal action can be taken.
3-a) Why are you allowing the mobile authenticator to be placed on an account with no verification that the account holder is the one using the authenticator. Use a billing CC check, or an email alert, or any one of a dozen other methods to confirm, OUTSIDE of Battlenet and WoW, that these changes have been requested.
4) Why are IP address ranges that have hacked system still being allowed to connect to the game?

Blizz, these are just a few of the questions that I have regarding your security, and the holes that apparently have been overlooked. Even if you can't fix some of these problems, how about you address them so that players know you're working on it. Otherwise, I will have to assume that you are not working on it, don't care about it, and your internal systems are as likely to be compromised as your game.
Forum Avatar
Vrakthris
#7 - Feb. 8, 2010, 4:44 a.m.
Blizzard Post
Q u o t e:
1) Why are account allowed to connect from foreign IP addresses? An account has played fro years from one area attempts to connect from China and you let it?


We do not currently restrict where you play from, Skuasept, people commonly play from all over the world.
Q u o t e:

2) Why is it taking 4+DAYS for a GM response in game. I understand that sometimes there's alot of traffic, especially on weekends. If you have that many freaking requests for help, hire more GM's. Period.


It doesn't, current queue times for initial response is around 24 hours.
Q u o t e:


2-a) Why is it that your GM's only work "Bankers Hours" on the west coast. This game is played 24/7, and your support should be staffed at all times. With "14 million" people playing, there are serious issues occurring at all times of play, not just when your Business Offices are open.


You are misinformed. The In-Game Support staff is here 24/7. If you are referring to our Billing and Account Services department, they are open for 12 hours from 8 AM PST to 8 PM PST 7 days a week.
Q u o t e:

3) Why is it that Mobile Authenticators are being added to accounts by hackers using the iTunes applications? These applications should be limited to one account, and traced so when an authenticator is used to prevent someone from retaking control of their account then legal action can be taken.


An authenticator, any authenticator may be attached to as many accounts as the user wishes. If you wish to see it otherwise you are welcome to post on our Suggestion forum.

You are also welcome to speak with your attorney on what legal recourse you may have involving an account.
Q u o t e:

3-a) Why are you allowing the mobile authenticator to be placed on an account with no verification that the account holder is the one using the authenticator. Use a billing CC check, or an email alert, or any one of a dozen other methods to confirm, OUTSIDE of Battlenet and WoW, that these changes have been requested.


Verification is required when attaching an Authenticator. It requires the Account name and password to be entered before one may be attached, which should only be known by the registered user of the account.

Q u o t e:
Blizz, these are just a few of the questions that I have regarding your security, and the holes that apparently have been overlooked. Even if you can't fix some of these problems, how about you address them so that players know you're working on it. Otherwise, I will have to assume that you are not working on it, don't care about it, and your internal systems are as likely to be compromised as your game.


As I said, feel free to post in the Suggestion forum with any feedback regarding this game or our methods.

Please note that account security, Skuasept, is under the direct control of the registered user of that account. I'm sorry to hear that your Guild Master has been compromised twice, it would be a good idea if she reviewed the available material and made certain that her system is secure.

** Computer Security Recommendations **
http://forums.worldofwarcraft.com/thread.html?topicId=1778038509&sid=1
Forum Avatar
Vrakthris
#9 - Feb. 8, 2010, 4:57 a.m.
Blizzard Post
Q u o t e:
2-a) If GMs work 24/7/365, then where are they? I don't expect instant answers from them, but i DO ask for something sooner than 4 days.


Game Master responses, as I stated, are around 24 hours at the moment. Compromise investigations do take a bit longer. Our staff is working on lowering resolution time but it will still take several days before a compromise investigation can be completed.
Q u o t e:

And to be blunt, if the game is active 24/7, then there should be a live person on a telephone that can be called any time the game is running to deal with a major issue like an account hack.


To be blunt, Skuasept, we are happy to help as quickly as we as able to but we didn't compromise or by lack of proper security allow a compromise to occur. It is important to point out that we designed our policies because we understand how much work goes into leveling and outfitting your characters and we want to repair that damage if by some unfortunate circumstance something like this happens.

I think the important thing to do is secure the account and work with your other guild members to make sure they understand proper security practices.

Good luck.

Forum Avatar
Vrakthris
#23 - Feb. 8, 2010, 5:50 a.m.
Blizzard Post
Q u o t e:

hey I am just saying, I pretty much timed a ticket, it was around 3 days give or take a couple of hours. Internal information =/= ability to modify space and time...


Was the petition escalated at any point, Oogrash? That, of course, would indicate a Character Specialist involvement which would take longer. I did specify that "initial" response is around 24 hours currently.

If you can give me name and realm of the character that submitted the petition I would be delighted to look. If it is on this account just the realm is needed.

Edit: Nevermind, I found it on one of your other accounts. It looks like it was a compromise investigation request, it did take longer than normal to send out the response. It was answered in 2 days 5 hours and 7 minutes. :)

Forum Avatar
Vrakthris
#25 - Feb. 8, 2010, 6:06 a.m.
Blizzard Post
I edited my previous post while you were typing. :D

Q u o t e:
lso do you know if the specialists can do a restoration on one character earlier than the whole account? I am having a blast on the CS forums but I think the regulars may get bored of me soon :P


Not that I'm aware of, Oogrash, they usually are unable to provide any restoration until the investigation can be completed. :(
Forum Avatar
Vrakthris
#28 - Feb. 8, 2010, 6:46 a.m.
Blizzard Post
Q u o t e:
Umm.. whan you say investigation is it possible to acquire the address of the brilliant fellow that was able to access my account? I would love to personally congratulate them...


Our investigation tracks what happened and whenever possible we do take appropriate actions based on what is found. We would be unable to provide specific information of course, sorry, Oogrash. :)